Why HIPAA Compliance Is Vital For Your Business

HIPAA is the Health Insurance Portability and Accountability Act. It’s the legislation that makes sure your protected health information (PHI) is kept private and kept secure. It covers how healthcare providers and associated businesses should keep handle your data and protect your health information, and provides the standards needed to ensure PHI data stored, handled, and accessed correctly at all times.

It also lays out the significant fines and penalties for individuals and organizations that handle sensitive PHI data but don’t comply with the standards.

PHI includes:

• All your medical records, such as blood test results or an MRI scan.
• Billing records at the doctor’s office.
• Conversations (emails, notes) about your health between you and your doctor, your doctor and other medical staff, or your health provider and your insurance company.

Initially only doctors, hospitals, and insurance companies needed to comply with HIPAA specifications, as they were the only people and organizations with access to PHI. These are known as Covered Entities and include any organization that provides “treatment, payment, and health care operations.”

Covered Entities include:

• Doctors and their offices
• Hospitals
• Pharmacies
• Insurance companies
• HMOs

However, a 2013 update increased the scope of HIPAA to take into account the increased use of outsourcing and cloud providers in healthcare. Any service transmits, stores, or receives PHI data is now categorized as a Business Associate and has to comply with HIPAA.

Business Associates include:

• A medical transcription service providing services to a doctor.
• A SaaS company that provides cloud-based electronic health records for physicians.
• An analytics company that processes medical data.

For a covered entity or a business associate to be compliant with HIPAA law, they are required to do 4 things:

1. Have safeguards so that PHI data is always protected.
2. Restrict access to PHI data to only those people needed to accomplish the intended purpose.
3. Have Business Associate Agreements (BAAs) in place with service providers to ensure security of PHI data.
4. Have procedures and policies to limit access to PHI data, and training in place to teach employees and users about data security and privacy.

Of the 4 HIPAA rules (Security, Privacy, Enforcement, and Breach Notification) it’s the HIPAA Security Rule that developers have to pay close attention to.

For SaaS companies wanting to work with healthcare providers, medical organizations or business associates already working in the industry, the Security Rule sets out how PHI data must be handled by the app or service.

This rule lays out the Technical Safeguards that make sure access to data is controlled, that data is secure, and individuals are properly authenticated.

• Access Control. There must be policies and procedures in place to make sure only authorized users are allowed access to PHI data. This could include unique identifiers for each user, emergency access procedures, and encryption procedures.
• Audit Controls. Mechanisms should be in place to record activity in the system and examine access by individuals.
• Integrity Controls. Any PHI data should not be improperly altered or destroyed and procedures put in place so that auditors can confirm whether this has happened.
• Transmission Security. Security measures should be in place to make sure no unauthorized access to the PHI data happens as it is transferred over a network.

Using HIPAA standards opens you up to new customers in a growing market. 67% of healthcare organizations are currently using a SaaS service in their workflow, with 92% of healthcare providers saying that that they can see a future use for SaaS in their organization. By applying HIPAA standards, you can tap into the $3 trillion healthcare industry.

By working towards HIPAA compliance, you are able to market yourself to 3 new customer bases:

• Covered Entities
  • 80% of physicians and 60% of hospitals are now using electronic health records (EHR). These companies require HIPAA compliance for any cloud service they use.
• Business Associates
  • As well as the covered entities, other business associates who process PHI can be assured that your service will also protect any data. As the cloud market grows for healthcare, 3rd party solutions for business associates will be able to market themselves as business associates.
• Wearables & Health Technologies
  • Though wearables don’t have to be HIPAA compliant currently, the trend towards sharing personal health data from wearables and apps means that these companies blur the lines between what does and doesn’t need to be HIPAA-compliant. For instance, Fitbit is now HIPAA compliant so that B2B companies can share the data from their Fitbit Wellness program with covered entities.

Auth0 offers HIPAA Business Associate Agreements to customers handling PHI data. This allows companies to be HIPAA-compliant by using Auth0 as an identity and authentication service.

Here are 2 HIPAA security rule technical safeguards addressed by Auth0:

Automatic Logoff

Automatic Logoff is an “addressable” part of the technical requirements of the security rule. This doesn’t mean optional. Addressable specifications should be implemented if it’s reasonable and appropriate to do so.

You can set Auth0 to automatically log out a user after a certain length of inactivity easily using the dashboard. You just have to set the JSON Web Token expiration time, in App Settings, to your predetermined time of inactivity. In this scenario, the app will automatically log the user out after 15 minutes of inactivity:

Authentication

To keep the data private and secure, it’s important to authenticate users properly so that only those with the requisite credentials can access the accounts. Using Auth0, a business associate or covered entity can use their own federated sign on solution through SAML to control access. Implementing SAML is easy is Auth0, click here for the video tutorial.